Google gets into the weeds of Android Work

Google revealed more about how its new enterprise security and management framework -- otherwise known as Android Work -- will function in a seven-minute video the company posted during its Google I/O conference this week.

The video details how an Android smartphone can be set up to function for both work and personal uses under the next generation of Android, dubbed simply Android L and due out sometime this fall. At the same time, new devices from various Android manufacturers will appear that support the L version along with Android Work.

Developers are now getting access to a preview version of L, along with some glimpses of Android Work with a sample "Device Policy Client" app for use by IT admins that will come with the new OS.

During the I/O keynote on Wednesday, Sundar Pichai, Google's senior vice president of Android, Chrome and applications, said Android devices will be able to partition personal data and apps from work data and apps.

"No one wants to carry two phones," Pichai said. "With L, there will be a whole set of API's (application programming interfaces) to unify both experiences for a user, one for personal and another for corporate. That's full enterprise security."

Apps for workplace use will be sold through the Google Play store and can be purchased by enterprises in bulk, he added.

The announcement of the Android Work framework pleasantly surprised analysts who have dinged Google over the years for insufficient enterprise-grade security.

"Android Work is an improvement because Android typically gets knocks for being a security risk, simply because it's an open platform in many ways and because of all the apps you can bring to an Android device," said Ramon Llamas, an analyst at IDC. "So it's been a risk for a lot of folks. ...Whatever Google can do to beef up that security, that's good."

Still, Llamas warned, "one silver bullet won't do it all and it will take a myriad of improvements. You almost need a security platform of security platforms."

The idea of partitioning work and personal data and apps was used in BlackBerry smartphones as early as the Z10 smartphone introduced in early 2013. Since then, BlackBerry's impact on the smartphone market has nearly disappeared and other smartphone platforms have adopted the partitioning concept. Those include Samsung Galaxy smartphones running Android along with an enterprise management and security framework called Knox.

Pichai publicly thanked Samsung for contributing Knox capabilities to Android Work and all of Android. Google in May also acquired Divide, an enterprise software firm focused on companies wrestling with the bring-your-own-device (BYOD) tidal wave.

Pichai said the new Android Work features will be available on devices from Dell, Huawei, HTC, Hewlett-Packard, Lenovo, Samsung, Sony, LG, Motorola and Asus.

The dual-persona capability in Android may push Apple to respond, some analysts predicted.

As more workers buy Android and other devices to use at work, IT shops have turned to dozens of small and large Enterprise Mobility Management (EMM) and Enterprise Application Management (EAM) vendors to set up policies and procedures to protect vital corporate data.

Google, in its video, makes it clear that registered EMM software providers will be able modify their software using Google APIs to accommodate Android Work policies and can add their own features to their EMM software.

"Registered EMM providers can offer secure authentication to enterprise servers, control access to enterprise apps and can set policies to restrict what the user can do within the work profile," said James Kelly, the project manager for Android who narrates the video. "On the device itself, Google Play will securely provision apps within the Android Work profile."

Kelly adds: "The IT admin has fine-grain controls to make apps available to individual employees, groups or to the whole company."

For BYOD workers who bring a personal Android device to work, IT admins can create a secure Android Work profile to separate work from personal apps and data, he explains. However, BYOD users will be able to launch a single unified interface that shows both personal and work apps and allows both "notification" and "recent" alerts to appear from either the work or personal profile in a flip card-file style on a single display view.

In cases where the company owns the device, Android Work provides a simple provisioning step that sets up the enterprise as the device owner. "A device owner is a special type of device admin that cannot be deactivated. The company has full control of the device, including data and apps," Kelly says.

For BYOD devices, Google has created a Device Policy Client app that sets up a work profile to separate work and personal data and apps. Employees will be required to provide credentials that are approved by the IT admin.

Google has also created new Android Work APIs called "Profile Owner" and the more powerful "Device Owner." The Profile Owner is a special type of device administrator tool that cannot be modified by the device's primary user. The Device Owner gets a "superset" of IT controls, which can be set to control an entire device, including whether Wi-Fi access is allowed.

In existing EMM approaches, profiles can be set up for different work groups that are granted access to specific apps. So one group might have access to accounting and financial apps, for instance, while another can access legal or marketing apps.

Kelly assured Android app developers that most of their apps won't need to be altered to run in an Android Work setting.

Copyright 2016 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.